System and method for advanced control tools for administrators in a cloud-based service

ABSTRACT

A cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) is described that provides advanced control tools for administrators of an enterprise account. The advanced control tools permit the administrator to set mobile security settings for mobile devices running applications that allow a user to access enterprise data in the cloud-based platform; activity notification archiving; support for multiple email domains; automation processes; and policies. The settings selected by the administrator are applied enterprise-wide within the cloud-based platform.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Patent Application No. 61/708,926 entitled, “ADVANCED CONTROL TOOLS AND ENTERPRISE-WIDE SEARCH FOR ADMINISTRATORS IN AN ENTERPRISE,” which was filed Oct. 2, 2012; U.S. Provisional Patent Application No. 61/677,249 entitled “ADVANCED SEARCH AND FILTERING MECHANISMS FOR ENTERPRISE ADMINISTRATORS IN A CLOUD-BASED ENVIRONMENT,” which was filed on Jul. 30, 2012; and U.S. Provisional Patent Application No. 61/706,546 entitled “ADVANCED SEARCH AND FILTERING MECHANISMS FOR ENTERPRISE ADMINISTRATORS IN A CLOUD-BASED ENVIRONMENT,” which was filed on Sep. 27, 2012, the contents of which are incorporated by reference in their entireties herein.

BACKGROUND

Security continues to be a major area of concern as more and more enterprises adopt cloud-based solutions for content management. When corporate content that is potentially stored in the cloud is accessed by many corporate users, there is typically an administrator that oversees and monitors the use of the cloud. Among other functions, the administrator may be responsible for ensuring the security of the corporate data stored in the cloud, particularly with the increased access of cloud content via mobile devices.

BRIEF DESCRIPTION OF THE DRAWINGS

Examples of a cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) that provides advanced control tools to an administrator of an enterprise account are illustrated in the figures. The examples and figures are illustrative rather than limiting.

FIG. 1 illustrates an example diagram of a system where a host server provides advanced control tools to an administrator of an enterprise account in a cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 2 depicts an example diagram of a web-based or cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) deployed in an enterprise or other organizational setting for organizing work items and workspaces.

FIG. 3 depicts a block diagram illustrating an example of components in the content manager of a cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIGS. 4A-4B depict screenshots showing examples of a user interface for selecting security settings for mobile devices accessing the enterprise's content in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIGS. 5A-5B depict screenshots showing examples of a user interface for selecting compliance email archive settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 6 depicts a screenshot showing an example of a user interface for selecting email domain support settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 7 depicts a screenshot showing an example of a user interface for selecting automation settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 8 depicts a screenshot showing an example of a user interface for selecting policy settings for downloading information from an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 9 depicts a screenshot showing an example of a user interface for selecting policy settings for uploading information to an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). selecting details of a policy to be applied to an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 10A depicts a screenshot showing an example of a user interface for selecting policy settings for sharing information in an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 10B depicts a screenshot showing an example of a user interface providing statistics about a previously defined policy in an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 11 depicts a flow chart illustrating an example process for selecting security settings for mobile devices accessing the enterprise's content in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 12 depicts a flow chart illustrating an example communications process between a mobile device and the host server for the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service)

FIG. 13 depicts a flow chart illustrating an example process for selecting compliance email archive settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 14 depicts a flow chart illustrating an example process for selecting email domain support settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 15 depicts a flow chart illustrating an example process for selecting automation settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 16 depicts a flow chart illustrating an example process for selecting policy settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

FIG. 17 shows a diagrammatic representation of a machine in the example form of a computer system within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed.

DETAILED DESCRIPTION

A cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) is described that provides advanced control tools for administrators of an enterprise account. The advanced control tools permit the administrator to set mobile security settings for mobile devices running applications that allow a user to access enterprise data in the cloud-based platform; activity notification archiving; support for multiple email domains; automation processes; and policies. The settings selected by the administrator are applied enterprise-wide within the cloud-based platform.

Various aspects and examples of the invention will now be described. The following description provides specific details for a thorough understanding and enabling description of these examples. One skilled in the art will understand, however, that the invention may be practiced without many of these details. Additionally, some well-known structures or functions may not be shown or described in detail, so as to avoid unnecessarily obscuring the relevant description.

The terminology used in the description presented below is intended to be interpreted in its broadest reasonable manner, even though it is being used in conjunction with a detailed description of certain specific examples of the technology. Certain terms may even be emphasized below; however, any terminology intended to be interpreted in any restricted manner will be overtly and specifically defined as such in this Detailed Description section.

FIG. 1 illustrates a diagram of an example system that has a host server 100 with a content manager 111 that provides advanced control tools to an administrator to select settings that apply across an enterprise or organization using a cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). The content manager 111 enables the administrator to select mobile security settings that apply to mobile devices accessing data in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service), to customize automated actions performed across the enterprise, and to customize policies for data uploaded to, downloaded from, and shared within the cloud-based platform for the enterprise account.

The client devices 102 can be any system and/or device, and/or any combination of devices/systems that is able to establish a connection, including wired, wireless, cellular connections with another device, a server and/or other systems such as host server 100 via, for example, a web application. Client devices 102 will typically include a display and/or other output functionalities to present information and data exchanged between or among the devices 102 and/or the host server 100.

For example, the client devices 102 can include mobile, hand held or portable devices or non-portable devices and can be any of, but not limited to, a server desktop, a desktop computer, a computer cluster, or portable devices including, a notebook, a laptop computer, a handheld computer, a palmtop computer, a mobile phone, a cell phone, a smart phone (e.g., a BlackBerry device such as BlackBerry Z10/Q10, an iPhone, Nexus 4, etc.), a Treo, a handheld tablet (e.g. an iPad, iPad Mini, a Galaxy Note, Galaxy Note II, Xoom Tablet, Microsoft Surface, Blackberry PlayBook, Nexus 7, 10 etc.), a phablet (e.g., HTC Droid DNA, etc.), a tablet PC, a thin-client, a hand held console, a hand held gaming device or console (e.g., XBOX live, Nintendo DS, Sony PlayStation Portable, etc.), iOS powered watch, Google Glass, a Chromebook and/or any other portable, mobile, hand held devices, etc. running on any platform or any operating system (e.g., Mac-based OS (OS X, iOS, etc.), Windows-based OS (Windows Mobile, Windows 7, Windows 8, etc.), Android, Blackberry OS, Embedded Linux platforms, Palm OS, Symbian platform, Google Chrome OS, and the like. In one embodiment, the client devices 102, and host server 100 are coupled via a network 106. In some embodiments, the devices 102 and host server 100 may be directly connected to one another.

The input mechanism on client devices 102 can include touch screen keypad (including single touch, multi-touch, gesture sensing in 2D or 3D, etc.), a physical keypad, a mouse, a pointer, a track pad, motion detector (e.g., including 1-axis, 2-axis, 3-axis accelerometer, etc.), a light sensor, capacitance sensor, resistance sensor, temperature sensor, proximity sensor, a piezoelectric device, device orientation detector (e.g., electronic compass, tilt sensor, rotation sensor, gyroscope, accelerometer), or a combination of the above.

Signals received or detected indicating user activity at client devices 102 through one or more of the above input mechanism, or others, can be used in the disclosed technology by various users or collaborators (e.g., collaborators 108) for accessing, through network 106, a cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) (e.g., hosted by the host server 100). The collaboration environment or platform can have one or more collective settings 125 for an enterprise or an organization to which the users belong, and can provide a user interface 104 for the users to access such platform under the settings 125.

The cloud-based service (e.g., collaboration platform or environment) hosts workspaces with work items that one or more users can access (e.g., view, edit, update, revise, comment, add to discussions, download, preview, tag, or otherwise manipulate, etc.). A work item can generally include any type of digital or electronic content that can be viewed or accessed via an electronic device (e.g., device 102). The digital content can include .PDF files, .doc, slides (e.g., PowerPoint slides), images, audio files, multimedia content, web pages, blogs, etc. A workspace can generally refer to any grouping of a set of digital content in the collaboration platform. The grouping can be created, identified, or specified by a user or through other means. This user may be a creator user or administrative user, for example.

In general, a workspace can be associated with a set of users or collaborators (e.g., collaborators 108) which have access to the content included therein. The levels of access (e.g., based on permissions or rules) of each user or collaborator to access the content in a given workspace may be the same or may vary among the users. Each user may have their own set of access rights to every piece of content in the workspace, or each user may have different access rights to different pieces of content. Access rights may be specified by a user associated with a workspace and/or a user who created/uploaded a particular piece of content to the workspace, or any other designated user or collaborator.

In general, the collaboration platform allows multiple users or collaborators to access or collaborate on efforts on work items such that each user can see, remotely, edits, revisions, comments, or annotations being made to specific work items through their own user devices. For example, a user can upload a document to a workspace for other users to access (e.g., for viewing, editing, commenting, discussing, signing-off, or otherwise manipulating). The user can login to the online platform and upload the document (or any other type of work item) to an existing workspace or to a new workspace. The document can be shared with existing users or collaborators in a workspace. Each document, work item, file, and folder can only be owned by a single user. However, the owner of the document, work item, file, or folder can transfer ownership to another collaborator.

The content databases 121-1 to 121-n store files and folders uploaded to the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) along with metadata for the uploaded files and folders.

In some embodiments, client devices 102 communicate with the host server 100 over network 106. In general, network 106, over which the client devices 102 and the host server 100 communicate, may be a cellular network, a telephonic network, an open network, such as the Internet, or a private network, such as an intranet and/or the extranet, or any combination thereof. For example, the Internet can provide file transfer, remote log in, email, news, RSS, cloud-based services, instant messaging, visual voicemail, push mail, VoIP, and other services through any known or convenient protocol, such as, but not limited to, the TCP/IP protocol, Open System Interconnections (OSI), FTP, UPnP, iSCSI, NSF, ISDN, PDH, RS-232, SDH, SONET, etc.

The network 106 can be any collection of distinct networks operating wholly or partially in conjunction to provide connectivity to the client devices 102 and the host server 100 and may appear as one or more networks to the serviced systems and devices. In some embodiments, communications to and from the client devices 102 can be achieved by, an open network, such as the Internet, or a private network, such as an intranet and/or the extranet. In some embodiments, communications can be achieved by a secure communications protocol, such as secure sockets layer (SSL), or transport layer security (TLS).

In addition, communications can be achieved via one or more networks, such as, but are not limited to, one or more of WiMax, a Local Area Network (LAN), Wireless Local Area Network (WLAN), a Personal area network (PAN), a Campus area network (CAN), a Metropolitan area network (MAN), a Wide area network (WAN), a Wireless wide area network (WWAN), enabled with technologies such as, by way of example, Global System for Mobile Communications (GSM), Personal Communications Service (PCS), Digital Advanced Mobile Phone Service (D-Amps), Bluetooth, Wi-Fi, Fixed Wireless Data, 2G, 2.5G, 3G, 4G, IMT-Advanced, pre-4G, 3G LTE, 3GPP LTE, LTE Advanced, mobile WiMax, WiMax 2, WirelessMAN-Advanced networks, enhanced data rates for GSM evolution (EDGE), General packet radio service (GPRS), enhanced GPRS, iBurst, UMTS, HSPDA, HSUPA, HSPA, UMTS-TDD, 1×RTT, EV-DO, messaging protocols such as, TCP/IP, SMS, MMS, extensible messaging and presence protocol (XMPP), real time messaging protocol (RTMP), instant messaging and presence protocol (IMPP), instant messaging, USSD, IRC, or any other wireless data networks or messaging protocols.

The automation engine 113 performs the automation processes set up by the administrator via the content manager 111, and the policy engine 115 executes the policies set up by the administrator via the content manager 111. As shown in FIG. 1, the automation engine 113 and the policy engine 115 are part of the host server 110. However, in some embodiments, one or both of the automation engine 113 and the policy engine 115 can be external to the host server 110. In some embodiments, the automation engine 113 and/or the policy engine 115 are accessed via the network 106 by the host server 110.

FIG. 2 depicts an example diagram of a web-based or cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) deployed in an enterprise or other organizational setting 250 for organizing workspaces 205, 225, 245 and work items 215, 235, 255, where the work items and workspaces are hosted on content databases 1, 2, . . . n 121-1, 121-2, . . . 121-n.

The web-based platform for collaborating on projects or jointly working on documents can be used by individual users and shared among collaborators. In addition, the collaboration platform can be deployed in an organized setting including but not limited to, a company (e.g., an enterprise setting), a department in a company, an academic institution, a department in an academic institution, a class or course setting, or any other types of organizations or organized setting.

When deployed in an organizational setting, multiple workspaces (e.g., workspace A, B C) can be created to support different projects or a variety of work flows. Each workspace can have its own associated work items. For example, workspace A 205 may be associated with work items 215, workspace B 225 can be associated with work items 235, and workspace N 245 can be associated with work items 255. The work items 215, 235, and 255 may be unique to each workspace but need not be. For example, a particular word document can be associated with only one workspace (e.g., workspace A 205) or it may be associated with multiple workspaces (e.g., workspace A 205 and workspace B 225, etc.).

In general, each workspace has a set of users or collaborators associated with it. For example, workspace A 205 is associated with multiple users or collaborators 206. In some instances, workspaces deployed in an enterprise may be department specific. For example, workspace B may be associated with department 210 and some users shown as example user A 208, and workspace N 245 can be associated with departments 212 and 216 and users shown as example user B 214.

FIG. 3 depicts a block diagram illustrating an example of components in the content manager 111 of the host server 100 of a cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

The host server 100 of the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) can generally be a cloud-based service. The content manager 111 of the host server 100 can include, for example, a network interface 302, a mobile setting module 320, a notification module 330, an email domain module 340, a user interface module 350, an automation module 355, a policy module 360, and/or an advanced tools database 370. Additional or fewer components/modules/engines can be included in the host server 100, content manager 111, and each illustrated component.

The network interface 302 can be a networking module that enables the content manager 111 to mediate data in a network with an entity that is external to the content manager 111, through any known and/or convenient communications protocol supported by the content manager 111 and the external entity. The network interface 302 can include one or more of a network adaptor card, a wireless network interface card (e.g., SMS interface, WiFi interface, interfaces for various generations of mobile communication standards including but not limited to 1G, 2G, 3G, 3.5G, 4G, LTE, etc.,), Bluetooth, a router, an access point, a wireless router, a switch, a multilayer switch, a protocol converter, a gateway, a bridge, bridge router, a hub, a digital media receiver, and/or a repeater.

As used herein, a “module” or an “engine” includes a general purpose, dedicated or shared processor and, typically, firmware or software modules that are executed by the processor. Depending upon implementation-specific or other considerations, the module or engine can be centralized or its functionality distributed. The module or engine can include general or special purpose hardware, firmware, or software embodied in a computer-readable (storage) medium for execution by the processor. As used herein, a computer-readable medium or computer-readable storage medium is intended to include all mediums that are statutory (e.g., in the United States, under 35 U.S.C. 101), and to specifically exclude all mediums that are non-statutory in nature to the extent that the exclusion is necessary for a claim that includes the computer-readable (storage) medium to be valid. Known statutory computer-readable mediums include hardware (e.g., registers, random access memory (RAM), non-volatile (NV) storage, to name a few), but may or may not be limited to hardware.

Some embodiments of the content manager 111 include the user interface module 350 which can display or cause to be displayed a suitable user interface that presents appropriate information to the administrator and allows the administrator to enter information in response to provided prompts. The user interface module 350 works in conjunction with the mobile setting module 320, the notification module 330, the email domain module 340, the automation module 355, and the policy module 360. Each of these modules provides the prompts to be displayed by the user interface module 350 to the administrator, and, in some casese, provides a menu of inputs for the administrator to respond with.

Some embodiments of the content manager 111 include the mobile setting module 320 which can provide via the user interface module 350 a mobile security setting user interface for an administrator to set mobile security settings to be applied to mobile device applications that permit a user to access data stored within the enterprise account in the cloud-based service managed by the administrator. The mobile setting module 320 also receives the administrator's selected settings, and interacts with the mobile device applications to enforce the selected mobile security settings.

FIG. 4A depicts a screenshot showing an example of a user interface, with information provided by the mobile setting module 320, for indicating whether files can be saved on mobile devices accessing the enterprise's content in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). The administrator can either permit files from the cloud-based platform to be saved on the mobile device or restrict or prevent the mobile device from saving files from the cloud-based platform on the mobile device. The administrator may choose the latter setting to ensure that data stored in the cloud remains protected even though users may access the data on a mobile device. In some embodiments, the administrator can allow files to be saved on mobile devices only when the device is encrypted, such as with Android devices.

FIG. 4B depicts a screenshot showing an example of a user interface, with information provided by the mobile setting module 320, for selecting the duration of inactivity of the mobile device after which entry of an application passcode is required to access the enterprise's content in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). The administrator may select to not enforce this function. Alternatively, the administrator may select a period of inactivity, for example, one minute, two minutes, five minutes, 15 minutes, or an hour. Requiring the user to enter a passcode after the selected period of inactivity has elapsed helps reduce the likelihood that a passer-by will be able to access enterprise data if the owner of the mobile device steps away.

The mobile setting module 320 stores the administrator's selections in the advanced controls database 370. As shown in FIG. 3, the advanced controls database 370 is part of the content manager 111. However, in some embodiments, the advanced controls database 370 can be external to the content manager 111. In some embodiments, the advanced controls database 370 is accessed via the network 106 by the content manager 111.

The mobile setting module 320 interacts with each mobile device application every time a user logs in to the cloud-based service via the mobile device. After a user has logged in with the mobile device application, the mobile device application requests from the mobile setting module 320 the stored mobile security settings selected by the administrator. Upon receipt of the request, the mobile setting module 320 sends the stored settings to the mobile device application, and the application enforces the settings. Thus, the administrator's settings are applied to all mobile device applications on every mobile device attempting to access data managed by the administrator in the enterprise account in the cloud-based service.

Some embodiments of the content manager 111 include the notification module 330 which can provide via the user interface module 350 a compliance email archive user interface for enabling compliance email archiving and selecting settings for the archiving. Compliance email archiving is useful in certain industries, such as finance and healthcare, as well as with eDiscovery requirements. In these industries and with eDiscovery, it is required to keep all documentation of communication. In some embodiments of the cloud-based service, the cloud-based service allows users to communicate or enter free text that would be seen by or could be sent to another individual using the cloud-based service, for example, features such as comments, discussions, assigning tasks, and invitations. When compliance email archiving is enabled, whenever a user of the cloud-based service sends a communication, the notification module 330 will automatically email a hidden copy of the selected communication activity to a specified email address. The emails sent by the notification module 330 will ultimately need to be captured and tracked with a separate tracking and archiving system to support business compliance in regulated industries and with eDiscovery requirements.

FIG. 5A depicts a screenshot showing an example of a user interface, with information provided by the notification module 330, for selecting compliance email archive settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). The enterprise administrator can disable compliance email archiving using this user interface. Alternatively, the administrator can select activities from preselected groups of activities to be archived, such as comments, discussions, and tasks; or comments, discussions, tasks, and invitations. In some embodiments, the administrator can select each activity to be included for compliance email archiving instead of choosing from preselected groups of activities.

FIG. 5B depicts a screenshot showing an example of a user interface, with information provided by the notification module 330, for selecting an archiving destination for the compliance emails. For example, the administrator can choose to have compliance emails sent to the user performing the actions selected above, or sent to a specific email address entered by the administrator. In some embodiments, the user who took the action and to whom the communication was sent is placed in the header of the email, and the text of the communication and the context is placed in the body of the email.

After the administrator has selected the preferences for compliance emails for the enterprise, the notification module 330 stores the preferences in the advanced tools database 370 and begins appropriately tracking and implementing compliance email archiving.

Some embodiments of the content manager 111 include the email domain module 340 which can provide via the user interface module 350 an email domain support user interface for an administrator to create a single, centralized managed account across multiple email domains for all users. This is useful if a business operates within different countries or has multiple subsidiaries with users that have email addresses from different domains. When multiple email domain support is combined with enterprise-wide search, an administrator is provided the ability to search files being stored and shared across the entire enterprise or organization.

FIG. 6 depicts a screenshot showing an example of a user interface, with information provided by the email domain module 340, for selecting email domain support settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). In the example of FIG. 6, the administrator is provided three choices. The first choice allows anyone with a link to data in the enterprise account to access the data. No log in is required prior to accessing the link. The second choice allows users at specified email domains to access the link in addition to collaborators who have an email address that is not within the specified email domains. The administrator can be prompted to enter the email domains to be permitted access to links to data in the enterprise account. The third choice allows only collaborators in a folder to access the link. External sharing is disabled. While only three choices are provided in the example screenshot of FIG. 6, other choices can be provided to the administrator regarding required permissions prior to accessing a link.

Additionally, as shown in the example screenshot of FIG. 6, the administrator can select permissions for link viewers. For example, link viewers may be permitted to preview and download the shared item, further share the item, or just preview the item. Other permissions can also be selected by the administrator. Once the administrator has selected preferences regarding email domain support for the enterprise, the email domain module 340 stores the information in the advanced tools database 370 and proceeds to execute the administrator's selected choices.

Some embodiments of the content manager 111 include the automation module 355 which can provide via the user interface module 350 an automation user interface for adding a new automation process or editing an existing automation process. The automation process allows tasks within an enterprise account to be automated. For example, if a file is placed into a certain folder, then an approval process is initiated, and if a user approves something, then the process continues. Thus, multiple workflows can be concatenated with the automated process. In some embodiments, an automation process can provide anti-virus and/or malware detection on uploaded files to the enterprise account.

To define an automation process, the administrator selects a condition, and an action to perform if the condition is satisfied. Automation processes can have more than a single condition and action. FIG. 7 depicts a screenshot showing an example of a user interface, with information provided by the automation module 355, for selecting automation settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). The administrator begins by naming the automation process, as shown near the top of the example screenshot in FIG. 7. Any previously defined automation processes are presented in a list to the left of the user interface so that the administrator can select one for reviewing and/or editing. The automation process is defined by specifying a condition and corresponding action to be performed if the condition is met. In the example of FIG. 7, the condition is when a file is uploaded to the cloud-based service to a particular folder, and the corresponding action to be performed if this condition is met is to assign an approval task to the user whose email address is entered by the administrator. Other example of a condition includes when a task is completed; when a file commented on; and when a folder is shared. The administrator can choose to add additional condition/action steps. The administrator also has the option to cancel any automation process for the enterprise.

A condition can be set to be the occurrence of any type of action identified by the administrator, for example, uploading, downloading, or sharing a file. The action to be performed upon meeting the condition can also be set to be any type of action.

Once the administrator has selected preferences regarding an automation process for the enterprise, the automation module 355 stores the information in the advanced tools database 370, and the automation engine 113 executes the stored automation process.

Some embodiments of the content manager 111 include the policy module 360 which can provide via the user interface module 350 a policy user interface for adding a new policy or editing an existing policy.

To define a policy, the administrator selects a policy type, a condition, and an action to perform if the condition is satisfied. FIG. 8 depicts a screenshot showing an example of a user interface, with information provided by the policy module 350, for selecting policy settings for downloading information from an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). The administrator begins by naming the policy, as shown near the top of the example screenshot in FIG. 8. Any previously defined policies are presented in a list to the left of the user interface so that the administrator can select a policy for reviewing and/or editing. The policy is defined by specifying a policy type, such as upload, download, or sharing. Other policy types may also be specified. In the example of FIG. 8, the policy type is download. The policy module 360 then prompts the administrator with appropriate prompts corresponding to the download policy.

The policy is further defined by specifying a condition and corresponding action if the condition is met. In some embodiments, the policy module 360 can provide the user with selections from a menu corresponding to the selected policy type. For the condition for the example in FIG. 8, the administrator is prompted to select a number of downloaded files (e.g., 50-to 100 files or 500 to 1000 files) and a time period over (e.g., less than one hour or less than 24 hours) corresponding which the files are downloaded. Example actions to be performed if the selected condition is met can be selected from only track for reporting or send a notification to the email addresses provided by the administrator. In some embodiments, other conditions and actions can be selected. The administrator also has the option to cancel any policy for the enterprise.

FIG. 9 depicts a screenshot showing an example of a user interface, with information provided by the policy module 360, for selecting policy settings for uploading information to an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) and selecting details of a policy to be applied to an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). In the example of FIG. 9, the policy type is upload. The policy module 360 then prompts the administrator with appropriate prompts for the upload policy. For the condition for the example of FIG. 9, the administrator is prompted to select an uploaded document contains a social security number, a credit card number, or custom words or numbers. Example actions to be performed if the selected condition is met can be chosen from move the file to quarantine, only track for reporting, and/or send a notification to the email addresses provided by the administrator.

FIG. 10A depicts a screenshot showing an example of a user interface, with information provided by the policy module 360, for selecting policy settings for sharing information in an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). In the example of FIG. 10A, the policy type is sharing. The policy module 360 then prompts the administrator with appropriate prompts for the sharing policy. For the condition for the example of FIG. 10A, the administrator is prompted to select when a user shares content with anyone on the domains provided by the administrator. Example actions to be performed if the defined condition is satisfied can be selected from move the file to quarantine, only track for reporting, and/or send a notification to the email addresses provided by the administrator.

Once the administrator has selected preferences regarding a policy for the enterprise, the policy module 360 stores the information in the advanced tools database 370, and the policy engine 115 executes the stored policy.

After the administrator has defined a policy and elected to start the policy, the administrator can select the policy from the list of defined policies as shown on the left side of FIG. 10B, and statistics pertaining to the policy will be shown. FIG. 10B depicts a screenshot showing an example of a user interface providing statistics about a previously defined policy, Social Security Numbers, as defined in FIG. 9, in an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service). The example of FIG. 10B shows the policy start date, the number of documents processed on upload (because the policy type is upload), and the number of documents effected by the policy (i.e., moved to quarantine). From the user interface, administrator can choose to edit the policy, delete the policy, and view quarantined files.

FIG. 11 depicts a flow chart illustrating an example process for selecting security settings for mobile devices accessing the enterprise's content in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

At block 1105, the content manager provides a setting selection for the administrator for whether files are permitted to be saved on mobile devices accessing enterprise account data in the cloud-based platform, and receives a setting selection from the administrator.

Then at block 1110, the content manager provides a setting selection for the administrator for the duration of inactivity on the mobile device after which entry of an application passcode is required, that is, the elapsed time of inactivity on the mobile device after which the user of the mobile device is required to enter a passcode. The content manager receives a response from the administrator.

And at block 1115, the content manager stores the responses from the administrator received at block 1105 and 1110.

FIG. 12 depicts a flow chart illustrating an example communications process between an application running on a mobile device that permits the user to access data stored in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service) and the content manager for the cloud-based platform for setting security settings on the mobile device.

The actions of the mobile device application 1205 on the left and the content manager 111 on the right are shown relative to each other as a function of time, with time increasing in the downward direction in FIG. 12. Transmissions between the mobile device application 1205 and the content manager 111 are shown by the arrows crossing the center of FIG. 12.

The mobile device application 1205 receives a user login to the mobile device application at block 1210. Then at transmission 1215, the mobile device application 1205 transmits a request for mobile security settings to the content manager 111. The content manager 111 receives the request at block 1220, and transmits the stored mobile security settings to the mobile device application 1205 at transmission 1225.

Then at block 1230, the mobile device application 1205 receives the mobile security settings. Next, at block 1235, the mobile device application 1205 stores the mobile security settings locally, and at block 1240, the mobile device application 1205 enforces the mobile security settings.

FIG. 13 depicts a flow chart illustrating an example process for selecting compliance email archive settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

At block 1305, the content manager receives an indication from the administrator to edit compliance email archive settings. Then at block 1310, the content manager provides a menu of activities for the administrator to select from for archiving. For example, the activities for archiving can be selected from no archiving; archive comments, discussions, and tasks; and archive comments, discussions, tasks, and invitations. Other options can also be offered to the administrator. The content manager receives a selection from the administrator.

Then at block 1315, the content manager provides a selection of archive locations to which the archived activities are to be emailed. For example, the user performing the action can be emailed, or a specific email address provided by the administrator can be used.

At block 1320, the content manager stores the response, and at block 1325, the content manager begins archiving activity based upon the stored response.

FIG. 14 depicts a flow chart illustrating an example process for selecting email domain support settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

At block 1405, the content manager receives an indication from the administrator to edit email domain support settings. Then at block 1410, the content manager provides options for new links to default to. For example, the options can include anyone with the link can be permitted to access it and no log in is required; users at specified email domains with the link can access it as well as collaborators at non-specified email domains; and only invited collaborators in the folder can access the link, and external sharing of data is disabled. Other options can also be offered to the administrator. The content manager receives a selection from the administrator.

At block 1415, the content manager stores the received response, and at block 1420, the content manager implements the link management according to the received response.

FIG. 15 depicts a flow chart illustrating an example process for selecting automation settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

At block 1505, upon request by an administrator of an enterprise account, the content manager provides a selection of automation processes that can be selected for editing or the option to define a new automation process and receives a response from the administrator.

Then at block 1510, the content manager provides appropriate selections for the selected automation process to set up a condition for the automation. For example, the condition can be when a file is uploaded to the cloud-based service to a particular folder. The content manager receives the selection.

Next, at block 1515, the content manager provides appropriate selections for the selected automation process to set up an action if the condition is met. For example, assigning an approval task to a particular user. The content manager receives the selection.

At decision block 1525, the content manager determines whether the administrator wants to add another step to the automation process. If another step is to be added (block 1525—Yes), the process returns to block 1510.

If there are no more steps to be added to the automation process (block 1525—No), at block 1527, the content manager stores the automation information.

At block 1530, the content manager receives an indication to initiate the automation process, and at block 1535, the content manager sends the automation process information to the automation engine for performing the automation.

FIG. 16 depicts a flow chart illustrating an example process for selecting policy settings for an enterprise account in the cloud-based platform (e.g., cloud-based collaboration and/or storage platform/service).

At block 1605, upon request by an administrator of an enterprise account, the content manager provides a selection of policies that can be selected for customization or the option to select a new policy to be entered and receives a response from the administrator.

Then at block 1610, the content manager provides appropriate selections for selecting a policy type, for example, policies that apply to uploaded data to, downloaded data from, and shared date within the cloud-based service. The content manager receives a response on the policy type.

Next, at block 1615, the content manager provides appropriate selections for the selected policy type to set up a condition for the policy. For example, if the selected policy type is downloading data, the condition can be when a user downloads a given number of files within a certain time period, where the administrator selects the number of files and the time period for the policy condition. The content manager receives a selection.

At block 1620, the content manager provides appropriate selections for the selected policy type to set up an action if the condition is met. For example, sending a notification by email to a specified user. The content manager receives a selection.

At block 1622, the content manager stores the policy information. Then at block 1625, the content manager receives an indication to initiate implementing the policy, and at block 1630, the content manager sends the policy information to the policy engine for performing the automation.

FIG. 17 shows a diagrammatic representation of a machine in the example form of a computer system within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed.

In alternative embodiments, the machine operates as a standalone device or may be connected (e.g., networked) to other machines. In a networked deployment, the machine may operate in the capacity of a server or a client machine in a client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment.

The machine may be a server computer, a client computer, a personal computer (PC), a user device, a tablet PC, a laptop computer, a set-top box (STB), a personal digital assistant (PDA), a cellular telephone, an iPhone, an iPad, a Blackberry, a processor, a telephone, a web appliance, a network router, switch or bridge, a console, a hand-held console, a (hand-held) gaming device, a music player, any portable, mobile, hand-held device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.

While the machine-readable medium or machine-readable storage medium is shown in an exemplary embodiment to be a single medium, the term “machine-readable medium” and “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database and/or associated caches and servers) that store the one or more sets of instructions. The term “machine-readable medium” and “machine-readable storage medium” shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the presently disclosed technique and innovation.

In general, the routines executed to implement the embodiments of the disclosure may be implemented as part of an operating system or a specific application, component, program, object, module or sequence of instructions referred to as “computer programs.” The computer programs typically comprise one or more instructions set at various times in various memory and storage devices in a computer that, when read and executed by one or more processing units or processors in a computer, cause the computer to perform operations to execute elements involving the various aspects of the disclosure.

Moreover, while embodiments have been described in the context of fully functioning computers and computer systems, those skilled in the art will appreciate that the various embodiments are capable of being distributed as a program product in a variety of forms, and that the disclosure applies equally regardless of the particular type of machine or computer-readable media used to actually effect the distribution.

Further examples of machine-readable storage media, machine-readable media, or computer-readable (storage) media include but are not limited to recordable type media such as volatile and non-volatile memory devices, floppy and other removable disks, hard disk drives, optical disks (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks, (DVDs), etc.), among others, and transmission type media such as digital and analog communication links.

Unless the context clearly requires otherwise, throughout the description and the claims, the words “comprise,” “comprising,” and the like are to be construed in an inclusive sense, as opposed to an exclusive or exhaustive sense; that is to say, in the sense of “including, but not limited to.” As used herein, the terms “connected,” “coupled,” or any variant thereof, means any connection or coupling, either direct or indirect, between two or more elements; the coupling of connection between the elements can be physical, logical, or a combination thereof. Additionally, the words “herein,” “above,” “below,” and words of similar import, when used in this application, shall refer to this application as a whole and not to any particular portions of this application. Where the context permits, words in the above Detailed Description using the singular or plural number may also include the plural or singular number respectively. The word “or,” in reference to a list of two or more items, covers all of the following interpretations of the word: any of the items in the list, all of the items in the list, and any combination of the items in the list.

The above detailed description of embodiments of the disclosure is not intended to be exhaustive or to limit the teachings to the precise form disclosed above. While specific embodiments of, and examples for, the disclosure are described above for illustrative purposes, various equivalent modifications are possible within the scope of the disclosure, as those skilled in the relevant art will recognize. For example, while processes or blocks are presented in a given order, alternative embodiments may perform routines having steps, or employ systems having blocks, in a different order, and some processes or blocks may be deleted, moved, added, subdivided, combined, and/or modified to provide alternative or sub-combinations. Each of these processes or blocks may be implemented in a variety of different ways. Also, while processes or blocks are at times shown as being performed in series, these processes or blocks may instead be performed in parallel, or may be performed at different times. Further any specific numbers noted herein are only examples: alternative implementations may employ differing values or ranges.

The teachings of the disclosure provided herein can be applied to other systems, not necessarily the system described above. The elements and acts of the various embodiments described above can be combined to provide further embodiments.

Any patents and applications and other references noted above, including any that may be listed in accompanying filing papers, are incorporated herein by reference. Aspects of the disclosure can be modified, if necessary, to employ the systems, functions, and concepts of the various references described above to provide yet further embodiments of the disclosure.

These and other changes can be made to the disclosure in light of the above Detailed Description. While the above description describes certain embodiments of the disclosure, and describes the best mode contemplated, no matter how detailed the above appears in text, the teachings can be practiced in many ways. Details of the system may vary considerably in its implementation details, while still being encompassed by the subject matter disclosed herein. As noted above, particular terminology used when describing certain features or aspects of the disclosure should not be taken to imply that the terminology is being redefined herein to be restricted to any specific characteristics, features, or aspects of the disclosure with which that terminology is associated. In general, the terms used in the following claims should not be construed to limit the disclosure to the specific embodiments disclosed in the specification, unless the above Detailed Description section explicitly defines such terms. Accordingly, the actual scope of the disclosure encompasses not only the disclosed embodiments, but also all equivalent ways of practicing or implementing the disclosure under the claims.

While certain aspects of the disclosure are presented below in certain claim forms, the inventors contemplate the various aspects of the disclosure in any number of claim forms. For example, while only one aspect of the disclosure is recited as a means-plus-function claim under 35 U.S.C. §112, ¶6, other aspects may likewise be embodied as a means-plus-function claim, or in other forms, such as being embodied in a computer-readable medium. (Any claims intended to be treated under 35 U.S.C. §112, ¶6 will begin with the words “means for.”) Accordingly, the applicant reserves the right to add additional claims after filing the application to pursue such additional claim forms for other aspects of the disclosure. 

What is claimed is:
 1. A method of setting mobile security settings for mobile devices used to access data provided by users in a cloud collaboration environment, the method comprising: receiving, at a server, a policy authorized by an administrator of an enterprise account of the cloud collaboration environment, the policy associated with mobile security settings on a mobile device of a user of the enterprise account, the policy including a policy type, a condition, and an action to perform if the condition is satisfied; concatenating one or more workflows associated with the policy type, the condition, and the action into an automation process; wherein the one or more workflows include tasks performed by the server in response to the policy type, the condition, and the action, wherein the policy type is selected from at least one of: download of content from the enterprise account, upload of content to the enterprise account, or sharing of content associated with the enterprise account, wherein the condition is based on at least one of: a number of downloaded files from the enterprise account, a time period over which the files are downloaded, uploading a file to a particular folder of the enterprise account, commenting on a file in the enterprise account, sharing a folder between users in the enterprise account, completion of the tasks; upon detecting that the condition for the automation process is satisfied, receiving a selection for the action; transmitting, by the server and based at least in part on the selection, the policy to a mobile device application running on at the mobile device, wherein the policy includes instructions for the mobile device application to configure security settings on the mobile device, and wherein the mobile device application is associated with the enterprise account; and in response to detecting that the action is a quarantine action, executing the action of moving one or more files in the enterprise account to a quarantine location, the one or more files in the quarantine location viewable to the administrator.
 2. The method of claim 1, further comprising: receiving, at the server, a duration of inactivity on the mobile device after which a passcode lock is required to be entered by a user to access data from the enterprise account in the cloud collaboration environment via the mobile device application; transmitting by the server to the mobile device application the duration, wherein the mobile device application enforces the requirement for entry of the passcode lock after the duration of inactivity has occurred.
 3. The method of claim 1, wherein the transmission of the policy occurs in response to a request from the mobile device application.
 4. The method of claim 3, wherein the request is made by the mobile device application after the user logs in to the mobile device application.
 5. The method of claim 1, wherein the action includes sending a notification to an email addresses provided by the administrator.
 6. A system of a cloud-based collaboration environment which provides enhanced configurable mobile security settings, the system comprising: a processor; a memory having stored thereon instructions which, when executed by the processor, causes the system to: receive a policy authorized by an administrator of an enterprise account on a cloud-based collaboration environment, the policy associated with mobile security settings on a mobile device of a user of the enterprise account, the policy including a policy type, a condition, and an action to perform if the condition is satisfied; concatenate one or more workflows associated with the policy type, the condition, and the action into an automation process; wherein the one or more workflows include tasks performed by the server in response to the policy type, the condition, and the action, wherein the policy type is selected from at least one of: download of content from the enterprise account, upload of content to the enterprise account, or sharing of content associated with the enterprise account, wherein the condition is based on at least one of: a number of downloaded files from the enterprise account, a time period over which the files are downloaded, uploading a file to a particular folder of the enterprise account, commenting on a file in the enterprise account, sharing a folder between users in the enterprise account, completion of the tasks; upon detecting that the condition for the automation process is satisfied, receive a selection for the action; transmit the policy to a mobile device application running on at the mobile device, wherein the policy includes instructions for the mobile device application to configure security settings on the mobile device, and wherein the mobile device application associated with the enterprise account; and in response to detecting that the action is a quarantine action, execute the action of moving one or more files in the enterprise account to a quarantine location, the one or more files in the quarantine location viewable to the administrator.
 7. The system of claim 6, wherein the system is further caused to receive, a duration of inactivity on the mobile device after which a passcode lock is required to be entered by a user to access data from the enterprise account in the cloud collaboration environment via the mobile device application; transmit to the mobile device application the duration, wherein the mobile device application enforces the requirement for entry of the passcode lock after the duration of inactivity has occurred.
 8. The system of claim 6, wherein transmission of the policy occurs in response to a request from the mobile device application, and further wherein the request is made by the mobile device application after the user logs in to the mobile device application.
 9. The system of claim 6, wherein the action includes sending a notification to an email addresses provided by the administrator. 